I've heard this story more than once...tell me if it sounds familiar to you: a student in high school who is extremely computer savvy hacks into the computer system at their high school. They don't do anything bad while they're in the system; the student just saw a weakness in the security of the system, saw it as a challenge, and went ahead and broke into the system. After the fact, when they find themselves in legal trouble, the student claims that they were merely hoping to demonstrate the vulnerability to the school so they could fix the security issue.
Stories like this matter, even if you're not a hacker in high school, and even if you don't have kids in high school. Why is it relevant? I'll get to that in a second, but first, a few things to consider:
First, I don't think the student is in the right here, even if the law were on their side. If someone broke into my house and left a note on my fridge reading, "Hey, I figured out how to break into your house, but I didn't take anything; just FYI, should fix your security system," I would feel personally invaded, and as though a crime had been committed. Good intent doesn't get a pass from me on this one.
Next, these stories don't mention it, but you do hope that the parties whose data was breached by the student hacker were made aware of breach and what data was exposed, so the owners of that data in the system could take action. If the school's system is storing unencrypted credit card data of parents (unlikely, I know), those parents should be made aware of it so they have the chance to take action to protect themselves. Legislation in California (per SB 1386) forces companies with data breaches to notify the owners of the data about the breach. To my knowledge, this isn't true in any other state.
The stories also never tell you whether or not the school is taking any action to patch the security hole that the student uncovered. As a parent with a student in the school, I'd consider this to be relevant information.
These are good things to consider in light of these stories, but here's the most important takeaway from this story: the student hacker felt that the best way to get the school's attention in regards to the security flaw in their computer system was to hack into it.
Think about that. Instead of sending an email, writing a letter, or just going into the office and telling someone at the school about the system's weakness, the student chooses to break the law. Granted, computer-savvy students often lack basic social skills, and maybe they're ignorant of the law. But while I think they don't get a free pass, taking drastic action to make a simple point actually makes some sense in this context.
To understand why, you have to look at the history of software security over the past 30 years. The track record is not good. Generally, if an outsider approached a software vendor and said, "I found a security hole in your product", more often than not, the software vendor ignored it. This is a problem of incentives: most security problems in software inconvenience the users of the software, not the company that develops the software. If this holds the true, the company is better off letting the problem slide and hoping people don't notice. This is almost always cheaper than reworking a large software package to fix the error.
So maybe the student hacker, in these cases, isn't just crazy. Maybe they assessed, and correctly, that if they presented the problem to the school in an email, that they would be ignored. And this is the problem.
Why is this important? Why on earth should we care about this? Simple: more and more, the small actions we take are producing and storing data about us, usually for the long-term. These systems are everywhere. It might be data on our children in high school, it might be credit card data, or it might be any number of things. If it's our data, then we are stakeholders of the system being maintained, and as stakeholders, the maintainers of the system should be receptive to (and perhaps even elicit) feedback from us about how well the system is doing its job.
If a high school student finds a security flaw in their school's computer system, that should become the start of a conversation, not a crime.
As I said before, the student doesn't get a pass from me for breaking rules or laws. But the school, as the maintainer of a computer system that stores personal information about our kids, doesn't get a pass from me on storing sensitive information and not securing it properly. No company that stores information about us should.